Re: certificate pinning

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Re-adding the libvirt-users list - please don't take discussions off-list.

On Mon, Dec 10, 2018 at 01:10:18PM +0300, Anastasiya Ruzhanskaya wrote:
> I already found out how to set up all the certificates and tls works fine
> for me.
> What if I want to put a proxy between client and server in libvirt? He has
> his own CA, and this is only one more CA I would like libvirt to trust to.
> Is it somehow achievable? I see that libvirt takes certificates only from
> predefined paths. For me doesn't work if I just incert another CA
> certificate to the cacert.pem file. Do you know any approaches how it can
> be made in another way?

The cacert.pem file can contain multiple certificates, just concatenate
all the CA pem files.

> 
> пн, 10 дек. 2018 г. в 12:38, Daniel P. Berrangé <berrange@xxxxxxxxxx>:
> 
> > On Sat, Dec 08, 2018 at 11:19:40AM +0300, Anastasiya Ruzhanskaya wrote:
> > > Hello!
> > > Does libvirt uses certificate pinning in tls? I want to setup a
> > transparent
> > > proxy (mitmproxy) and can't do this even after I added mitmproxy ca
> > > certificate to the trusted certificates in ubuntu.
> >
> > Libvirt doesn't ever use the global certificates stores, because public
> > CAs are not relevant to libvirt deployments - indeed trusting the global
> > cert store in the OS would lower security by opening it upto arbitrary
> > CAs. See this doc for where libvirt finds CA certs
> >
> > https://libvirt.org/remote.html#Remote_certificates
> >
> >
> > Regards,
> > Daniel
> > --
> > |: https://berrange.com      -o-
> > https://www.flickr.com/photos/dberrange :|
> > |: https://libvirt.org         -o-
> > https://fstop138.berrange.com :|
> > |: https://entangle-photo.org    -o-
> > https://www.instagram.com/dberrange :|
> >

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users
[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux